Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Site-to-Site, ping always works, tcp on random days

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 409 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sclaesen
      last edited by

      Hi

      I have 2 pfSense CE firewalls running on Dell hardware, versions 2.7.0 and 2.7.2 respectively.

      One is a branch office connected via 4G, and local network 192.168.2.0/24, other is in a data centre with LAN 192.168.12.0/24 behind it. I have an IKEv2 site to site IPSEC tunnel, initiated at the branch office side.

      Tunnel is up, no issues there.
      Ping from branch office PC (192.168.2.215) to data centre host (192.168.12.65) always works.
      The WebUI of the data centre fiewall always works from the branch office.

      http (or any TCP) to data centre host works on random days, some days its fine, other days it is not.

      When it doesnt work, the SADs and SPDs are correct and present and no clashes,
      Packet capture on the enc0 interfaces of each firewall show the data centre host responding, but these packets do not appear on the branch side of the tunnel.

      Firewall rules for LAN and IPSEC are set Any-to-Any-Allow on both firewalls.

      Ive been bashing my head against a brick wall for days now. Googled, screamed, tried every tick box, googled again, but I can not find why my TCP data centre LAN traffic is not appearing on the branch office side of the tunnel.

      Any constructive tips on troubleshooting this would be very welcome...

      K 1 Reply Last reply Reply Quote 0
      • S
        sclaesen
        last edited by

        Remote Desktop (which I believe uses UDP) always works.

        Maximum MSS setting does not make a difference.
        Hardware checksum offloading does not make a difference.

        1 Reply Last reply Reply Quote 0
        • K
          Konstanti @sclaesen
          last edited by

          @sclaesen

          Hi
          The next time the problem occurs, it is best to use tcpdump to see what is happening on the Lan interface (provided that everything is fine on the enc0 interface) . Do the packets go towards the host?

          1 Reply Last reply Reply Quote 1
          • S
            sclaesen
            last edited by

            The packets go from the branch office, over ipsec out to the data centre host, come back to the firewall, are sent over the enc0 interface, but do not appear to arrive on the enc0 interface at the branch office.

            I think I need to look at the WAN traffic next....

            1 Reply Last reply Reply Quote 0
            • S
              sclaesen
              last edited by

              Gave up trying to troubleshoot this, took out the branch office pfsense, and connected the same VPN direct from the 4G/5G router. Worked instantly...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.